andreas steffen, 5.12.2011, 13-vpn.pptx 1 internet security 1 (intsi1) prof. dr. andreas steffen...

Andreas Steffen, 5.12.2011, 13-VPN.pptx 1

Internet Security 1 (IntSi1)

Prof. Dr. Andreas Steffen

Institute for Internet Technologies and Applications (ITA)

13 Virtual Private Networks


Layer 2 versus Layer 3 versus Layer 4

Application layer ssh, S/MIME, PGP, Kerberos, WSS

Transport layer TLS, [SSL]

Network layer IPsec

Data Link layer [PPTP, L2TP], IEEE 802.1X,IEEE 802.1AE, IEEE 802.11i (WPA2)Physical layer Quantum Communications

Communication layers

Security protocols



13.1 Point-to-Point Protocol

(PPP)


PPPPPPPPP

EncapsulationIP, IPXIP, IPX PayloadPayload

PSTN (POTS / ISDN)IP, IPXIP, IPX PayloadPayload

Private Network

Public Switched Telephone Network

Remote Client

Remote Access Server

• Authentication using PAP (password), CHAP (challenge/response), or the Extensible Authentication Protocol (EAP) supporting e.g. token cards

• Optional PPP packet encryption (ECP) using preshared secrets• Individual PPP packets are not authenticated• The Link Control Protocol (LCP), as well as EAP and ECP are not

protected !!

PPP–based Remote Access using Dial–In


The PPP Encryption Control Protocol (ECP)

• The Encryption Control Protocol (ECP, RFC 1968) uses the same packet exchange mechanism as the Link Control Protocol (LCP, RFC 1661).

• ECP packets may not be exchanged until PPP has reached the Network-Layer Protocol phase and should wait for an optional Authentication phase.

• Exactly one ECP packet is encapsulated in the PPP Information field,where the PPP Protocol field indicates type 0x8053.

• An encrypted packet is encapsulated in the PPP Information field, where the PPP Protocol field indicates type 0x0053 (Encrypted datagram).

• Compression may also be negotiated using the Compression Control Protocol (CCP, RFC 1962).

• ECP implementations should use the PPP Triple-DES Encryption Protocol (3DESE, RFC 2420). DES-EDE3-CBC with a 168 bit key is used.

0x80530x8053 CodeCode IDID LengthLength ECP Options (algorithm, IV)ECP Options (algorithm, IV)

Seq. NrSeq. Nr0x00530x0053 CiphertextCiphertext


The PPP Extensible Authentication Protocol (EAP)

• Some of the authentication types supported by EAP (RFC 2284): 1 Identity 4 MD5-Challenge 5 One-Time Password (OTP, RFC 2289) 6 Generic Token Card 9 RSA Public Key Authentication 13 EAP-TLS (RFC 2716, supported by Windows XP)15 RSA Security SecurID EAP17 EAP-Cisco Wireless18 Nokia IP smart card authentication23 UMTS Authentication and Key Argreement24 EAP-3Com Wireless25 PEAP (Protected EAP, supported by Windows XP)29 EAP-MSCHAP-V2 (supported by Windows XP)35 EAP-Actiontec Wireless 36 Cogent Systems Biometrics Authentication EAP

0xC2270xC227 CodeCode IDID LengthLength TypeType DataData

feurioCert.p12



13.2 Layer 2/3/4 VPNs


Layer 2 Tunneling Protocol (L2TP)

IP, IPXIP, IPX PayloadPayload

Private Network

InternetIP

ISP NASRemote Client

Network Access Server

PSTN

PPP over PSTNPPPPPP IP, IPXIP, IPX PayloadPayload

PSTN

Layer 2

IPIPUDP Port

1701 over IPUDPUDP L2TPL2TP PPPPPP IP, IPXIP, IPX PayloadPayloadLayer 3

L2TPL2TP LNSLACL2TP

TunnelPPPPPP IP, IPXIP, IPX PayloadPayload

Compulsory Mode


Layer 2 Tunneling Protocol (L2TP)Voluntary Mode

UDP Port 1701 over IP

IPIP UDPUDP L2TPL2TP PPPPPP IP, IPXIP, IPX PayloadPayload


Private Network

InternetIP



PSTN

L2TPL2TP LNSLACL2TP


Layer 2 Connection (Wire)

PPPPPPPPP

over PSTNIPIP UDPUDP L2TPL2TP PPPPPP IP, IPXIP, IPX PayloadPayload

PSTN


Layer 3 Tunnel based on IPSec

IPIP PayloadPayload

Private Network

InternetIP

ISPVPN Client VPN Gateway

PSTN

IPsec TunnelIPIP ESPESP IPIP PayloadPayload

PPPPPP

PSTN

IPIP ESPESP IPIP PayloadPayload


L2TP over IPsec (RFC 3193) – Voluntary Mode

IPIP ESPESPIPSec

Transport Mode

UDPUDP L2TPL2TP PPPPPP IP, IPXIP, IPX PayloadPayload


Private Network

InternetIP



PSTN

L2TPL2TP LNSLACL2TP


Layer 2 Connection (Wire)

PPPPPPPPP

over PSTNIPIP ESPESP UDPUDP L2TPL2TP PPPPPP IP, IPXIP, IPX PayloadPayload


IPIP PayloadPayload

Private Network

InternetIP

ISPSSL/TLSBrowser with Plugin

SSL/TLS Proxy Server

PSTN

PPPPPP IPIP

PSTN

TCP*TCP* SSLSSL IPIP PayloadPayload

SSL/TLSTunnelIPIP TCP*TCP* SSLSSL IPIP PayloadPayload

Layer 4 Tunnel based on SSL/TLS

*OpenVPN uses SSL over UDP


• Layer 2 – L2TPSame login procedure as PPP (preshared secrets, RADIUS, etc.)Same auxiliary information as with PPP (virtual IP, DNS/WINS

servers) No strong security without IPsec, LCP can be cheated into

establishing no encryption. Non-authenticated L2TP packets prone to replay attacks.

• Layer 3 – IPSecCryptographically strong encryption and authentication of VPN

tunnelCan negotiate and enforce complex VPN access control policiesXAUTH and IKEv2-EAP authentication offer PPP-like featuresDoes not allow the tunneling of non-IP protocols (IPX, etc.)Complex connection setup, PKI management overhead

• Layer 4 - TLSClientless and simple: Internet Browser plus Java Applets or

Plugin.Cryptographically strong encryption and authentication of VPN

tunnelAccess to certain applications need special plugin (still

clientless?)

Layer 2/3/4 VPNs – Pros and Cons



13.3 Multi-Protocol LabelSwitching (MPLS)


IP-Network of a Service Provider

MPLS based Virtual Private Networks

IPL A

IPL AL 1

IPL AL 3

IPL AL 5

IPL BIPL B

IPL BL 2

IPL BL 4

IPL BL 6

IPL A

User B

E1

E2

E3

E4

N1 N3

User A

User B

User A


MPLS Layer 2 Shim Header (RFC 3032)

20 Bits

Class of Service, 3 Bits

Bottom of Stack, 1 Bit

Time to Live, 8 Bits

Label CoS B TTL

4 Bytes



13.4 IPsec Transport Mode


Internet

IPsec – Transport Mode

194.230.203.86 160.85.128.3

IP connectionsecure

• IP datagrams should be authenticated• IP datagrams should be encrypted and authenticated


IPsec – Transport ModeIP Authentication Header (AH)

• IP protocol number for AH: 51• Mutable fields: Type of Service (TOS), Fragment Offset,

Flags, Time to Live (TTL), IP header checksum

OriginalIP Header

OriginalIP Header

TCPHeader

TCPHeader DataDataIPv4

Before applying AH

AH: RFC 4302

After applying AH

IPv4

authenticatedexcept for mutable fields

OriginalIP Header

OriginalIP Header

AHHeader

AHHeader

TCPHeader

TCPHeader DataData


IPsec – Transport ModeIP Encapsulating Security Payload (ESP)

• IP protocol number for ESP: 50• ESP authentication is optional• With ESP authentication the IP header is not protected.

OriginalIP Header

OriginalIP Header

TCPHeader


Before applying ESP

ESP: RFC 4303

OriginalIP Header

OriginalIP Header

ESPHeader

ESPHeader IPv4

After applying ESP

encryptedauthenticate

d

TCPHeader

TCPHeader DataData ESP

Trailer

ESPTrailer

ESPAuth

ESPAuth


Internet Security (IntSi1)

13.5 IPsec Tunnel Mode


Internet

IPsec – Tunnel ModeVirtual Private Network (VPN)

10.1.0.2

10.1.0.3

10.1.0.1

Subnet10.1.0.0/16

10.2.0.2

10.2.0.3

10.2.0.1

Subnet10.2.0.0/16

194.230.203.86

160.85.180.0

SecurityGateway

SecurityGateway

secure IP tunnel


IPsec Tunnel Mode using ESP

OriginalIP Header

OriginalIP Header

TCPHeader


Before applying ESP

• IP protocol number for ESP: 50• ESP authentication is optional but often used in place of

AH• Original IP Header is encrypted and therefore hidden

OuterIP Header

OuterIP Header

ESPHeader

ESPHeader IPv4

After applying ESP

encryptedauthenticate

d

OriginalIP Header

OriginalIP Header

TCPHeader

TCPHeader DataData ESP

Trailer

ESPTrailer

ESPAuth

ESPAuth

Encapsulating SecurityPayload (ESP): RFC 4303


ESP Header (Initial Header / Payload / Trailer)

encrypted

authenticated

After applying ESP

Security Parameters Index (SPI)

Anti-Replay Sequence Number

Payload Data (variable, including IV)

Padding (0-255 bytes)

Authentication Data (variable)

0 1 2 3 4 bytes

Next HeaderPad Length


IPsec Tunnel Mode CBC Packet Overhead

Outer IP Header

AES_XCBC_96

HMAC_SHA1_96

SPI / Seq. Number

3DES_CBC IV

AES_CBC IV

3DES_CBC max Pad

AES_CBC max Pad

Pad Len / Next Header

HMAC_SHA2_256_128

HMAC_SHA2_384_192

HMAC_SHA2_512_256

20

8

8

16

7

15

12

2

12

16

24

32

12

12

16

24

32

12

12

16

24

32

20 20 20 20 20 20 20 20 20 20

8 8 8 8 8 8 8 8 8 8

8 8 8 8 8

16 16 16 16 16

7 7 7 7 7

15 15 15 15 15

2 2 2 2 2 2 2 2 2 2

50 50 54Best Case Overhead 62 70 58 58 62 70 78

BytesWorst Case Overhead 57 57 61 69 77 73 73 77 85 93


Authenticated Encryption with Associated Data (AEAD)

• AEAD is based on specialblock cipher modes:

• Block size: 128 bits• Key size: 128/256 bits• Tag size : 128/96/64 bits• Nonce size: 96 bits

32 bits 64 bits 32 bits

• Recommended AEAD Modes: AES-Galois/Counter ModeAES-GMAC (auth. only)

• Alternative AEAD Modes:AES-CCMCAMELLIA-GCMCAMELLIA-CCM

Salt IV Counter

Salt IV 0 Salt IV 1 Salt IV 2

Key K Key K

Hash Subkey H

0………………..0

Key K

Hash Subkey Derivation


IPsec Tunnel Mode AEAD Packet Overhead

Outer IP Header

AES_GCM_96 Tag

AES_GCM_64 Tag

Security Parameter IndexAES_GCM IV

AES_CNT max Pad

Pad Len / Next Header

20

8

8

3

8

2

12

8

12

20 20 20

8 8 8

8 8 8

2 2 2

46 50 54Best Case Overhead

Bytes

Worst Case Overhead 49 53 57

3 3 3

AES_GCM_128 Tag 16 16

Additional Authenticated Data:

Sequence Number

0 1 2 3

Security Parameter Index

ExtendedSequence Number

0 1 2 3

SPI / Seq. Number

or


IPsec Tunnel Mode using AH

OriginalIP Header

OriginalIP Header

TCPHeader


Before applying AH

• IP protocol number for AH: 51• Mutable fields: Type of Service (TOS), Fragment Offset,

Flags, Time to Live (TTL), IP header checksum• ESP can be encapsulated in AH

OuterIP Header

OuterIP Header

AH Header

AH Header IPv4

After applying AH

authenticated

OriginalIP Header

OriginalIP Header

TCPHeader

TCPHeader DataData

Authentication Header(AH): RFC 4302

andreas steffen, 5.12.2011, 13-vpn.pptx 1 internet security 1 (intsi1) prof. dr. andreas steffen...

Documents

ppp protocol field

ppp ppp encapsulation

pstn ppp ip

eap rfc

protocol l2tp ip

ip udp l2tp ppp ip

ppp information field

network layer protocol